Merge branch 'SigmaHQ:master' into master

swachchhanda000 · Nov 24, 2023 · 3e94515 · 3e94515
2 parents 09c9db3 + 2c24b24
commit 3e94515
Show file tree

Hide file tree

Showing 130 changed files with 2,379 additions and 1,129 deletions.
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -8,7 +8,7 @@ Thanks for your contribution. Please make sure to fill the contents of this temp
 
 <!--
 **Please note that this section is required and must be filled**
-A short summary of your pull request. 
+A short summary of your pull request.
 -->
 
 ### Changelog
@@ -19,13 +19,15 @@ You need to add one line for every changed file of the PR and prefix one of the
 new:	<title>
 update:	<title> - <optional comment>
 fix:	<title> - <optional comment>
+remove:	<title> - <optional comment>
 chore: for non-detection related changes (e.g. dates/titles) and changes on workflow
 
 e.g.
 new: Brute-Force Attacks on Azure Admin Account
 update: Suspicious Microsoft Office Child Process - add MSPUB.EXE
 fix: Malware User Agent - remove legitimate Firefox UA
 chore: workflow - update checkout version
+remove: Suspicious Office Execution - deprecated in favour of 8f922766-a1d3-4b57-9966-b27de37fddd2
 -->
 
 ### Example Log Event

diff --git a/.github/latest_archiver_output.md b/.github/latest_archiver_output.md
diff --git a/.github/workflows/goodlog-tests.yml b/.github/workflows/goodlog-tests.yml
@@ -0,0 +1,162 @@
+# This workflow will install Python dependencies, run tests and lint with a single version of Python
+# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
+
+name: Goodlog Tests
+
+on:
+  push:
+    branches:
+      - "*"
+    paths:
+      - ".github/workflows/goodlog-tests.yml"
+      - ".github/workflows/known-FPs.csv"
+      - "deprecated/**.yml"
+      - "rules-compliance/**.yml"
+      - "rules-dfir/**.yml"
+      - "rules-emerging-threats/**.yml"
+      - "rules-placeholder/**.yml"
+      - "rules-threat-hunting/**.yml"
+      - "rules/**.yml"
+      - "tests/thor.yml"
+      - "unsupported/**.yml"
+  pull_request:
+    branches:
+      - master
+    paths:
+      - ".github/workflows/goodlog-tests.yml"
+      - ".github/workflows/known-FPs.csv"
+      - "deprecated/**.yml"
+      - "rules-compliance/**.yml"
+      - "rules-dfir/**.yml"
+      - "rules-emerging-threats/**.yml"
+      - "rules-placeholder/**.yml"
+      - "rules-threat-hunting/**.yml"
+      - "rules/**.yml"
+      - "tests/thor.yml"
+      - "unsupported/**.yml"
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+env:
+  EVTX_BASELINE_VERSION: v0.8
+
+jobs:
+  check-baseline-win7:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/[email protected]
+    - name: Download evtx-sigma-checker
+      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
+    - name: Download and extract Windows 7 32-bit baseline
+      run: |
+        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win7-x86.tgz
+        tar xzf win7-x86.tgz
+    - name: Check for Sigma matches in baseline
+      run: |
+        chmod +x evtx-sigma-checker
+        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win7_x86/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
+    - name: Show findings excluding known FPs
+      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
+
+  check-baseline-win10:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/[email protected]
+    - name: Download evtx-sigma-checker
+      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
+    - name: Download and extract Windows 10 baseline
+      run: |
+        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win10-client.tgz
+        tar xzf win10-client.tgz
+    - name: Check for Sigma matches in baseline
+      run: |
+        chmod +x evtx-sigma-checker
+        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
+    - name: Show findings excluding known FPs
+      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
+
+  check-baseline-win11:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/[email protected]
+    - name: Download evtx-sigma-checker
+      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
+    - name: Download and extract Windows 11 baseline
+      run: |
+        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win11-client.tgz
+        tar xzf win11-client.tgz
+    - name: Check for Sigma matches in baseline
+      run: |
+        chmod +x evtx-sigma-checker
+        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Win11/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
+    - name: Show findings excluding known FPs
+      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
+
+  check-baseline-win11-2023:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/[email protected]
+    - name: Download evtx-sigma-checker
+      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
+    - name: Download and extract Windows 11 baseline
+      run: |
+        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win11-client-2023.tgz
+        tar xzf win11-client-2023.tgz
+    - name: Check for Sigma matches in baseline
+      run: |
+        chmod +x evtx-sigma-checker
+        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Win11_2023/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
+    - name: Show findings excluding known FPs
+      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
+
+  check-baseline-win2022:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/[email protected]
+    - name: Download evtx-sigma-checker
+      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
+    - name: Download and extract Windows 2022 baseline
+      run: |
+        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-evtx.tgz
+        tar xzf win2022-evtx.tgz
+    - name: Check for Sigma matches in baseline
+      run: |
+        chmod +x evtx-sigma-checker
+        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-evtx/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
+    - name: Show findings excluding known FPs
+      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
+
+  check-baseline-win2022-domain-controller:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/[email protected]
+    - name: Download evtx-sigma-checker
+      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
+    - name: Download and extract Windows 2022 baseline
+      run: |
+        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-ad.tgz
+        tar xzf win2022-ad.tgz
+    - name: Check for Sigma matches in baseline
+      run: |
+        chmod +x evtx-sigma-checker
+        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Win2022-AD/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
+    - name: Show findings excluding known FPs
+      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
+
+  check-baseline-win2022-0-20348-azure:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/[email protected]
+    - name: Download evtx-sigma-checker
+      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
+    - name: Download and extract Windows 2022.0.20348 Azure baseline
+      run: |
+        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-0-20348-azure.tgz
+        tar xzf win2022-0-20348-azure.tgz
+    - name: Check for Sigma matches in baseline
+      run: |
+        chmod +x evtx-sigma-checker
+        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-0-20348-azure/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
+    - name: Show findings excluding known FPs
+      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
diff --git a/.github/workflows/greetings.yml b/.github/workflows/greetings.yml
@@ -1,6 +1,6 @@
 name: Auto message for PR's and Issues
 
-on: [pull_request, issues]
+on: [pull_request_target, issues]
 
 jobs:
   build:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -21,13 +21,16 @@ jobs:
           echo "Previous tag: ${prev_tag}"
           echo "Current tag: ${curr_tag}"
           if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*new: ' -c) -gt 0 ]]; then echo "### New Rules" > changes.txt; fi
-          git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*new: ' | sort | sed -e 's%^% - %' >> changes.txt
+          git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*new: ' | sort -u | sed -e 's%^% - %' >> changes.txt
           if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*update: ' -c) -gt 0 ]]; then echo "### Updated Rules" >> changes.txt; fi
-          git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*update: ' | sort | sed -e 's%^% - %' >> changes.txt
+          git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*update: ' | sort -u | sed -e 's%^% - %' >> changes.txt
+          if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*remove: ' -c) -gt 0 ]]; then echo "### Removed / Deprecated Rules" >> changes.txt; fi
+          git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*remove: ' | sort -u | sed -e 's%^% - %' >> changes.txt
           if [[ $(git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*fix: ' -c) -gt 0 ]]; then echo "### Fixed Rules" >> changes.txt; fi
-          git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*fix: ' | sort | sed -e 's%^% - %' >> changes.txt
+          git log --pretty=%B ${prev_tag}..${curr_tag} | grep -E '^\s*fix: ' | sort -u | sed -e 's%^% - %' >> changes.txt
           git log --pretty=%B ${prev_tag}..${curr_tag} | grep -ioP 'Merge PR #\d+ from \K(@\S+)' | sort -u > authors_raw.txt
           git log --pretty=%B ${prev_tag}..${curr_tag} | grep -oP "Co-authored-by: \K.*(?= <)" | sort -u | sed -e 's%^%@%' >> authors_raw.txt
+          git log --pretty=%B ${prev_tag}..${curr_tag} | grep -ioP "Thanks: \K.*?(?=$| for)" | sort -u >> authors_raw.txt
           LC_ALL=en_US.UTF-8 sort -u authors_raw.txt | grep -v 'dependabot\[bot\]' > authors.txt
           cat changes.txt >> changelog.txt
           echo "" >> changelog.txt

diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml
@@ -3,38 +3,41 @@
 
 name: Sigma Rule Tests
 
-on: # yamllint disable-line rule:truthy
+on:
   push:
     branches:
       - "*"
-    # paths:
-    #   - "deprecated/**.yml"
-    #   - "rules-compliance/**.yml"
-    #   - "rules-dfir/**.yml"
-    #   - "rules-emerging-threats/**.yml"
-    #   - "rules-placeholder/**.yml"
-    #   - "rules-threat-hunting/**.yml"
-    #   - "rules/**.yml"
-    #   - "unsupported/**.yml"
+    paths:
+      - ".github/workflows/sigma-test.yml"
+      - "deprecated/**.yml"
+      - "rules-compliance/**.yml"
+      - "rules-dfir/**.yml"
+      - "rules-emerging-threats/**.yml"
+      - "rules-placeholder/**.yml"
+      - "rules-threat-hunting/**.yml"
+      - "rules/**.yml"
+      - "tests/test_logsource.py"
+      - "tests/test_rules.py"
+      - "unsupported/**.yml"
   pull_request:
     branches:
       - master
-    # paths:
-    #   - "deprecated/**.yml"
-    #   - "rules-compliance/**.yml"
-    #   - "rules-dfir/**.yml"
-    #   - "rules-emerging-threats/**.yml"
-    #   - "rules-placeholder/**.yml"
-    #   - "rules-threat-hunting/**.yml"
-    #   - "rules/**.yml"
-    #   - "unsupported/**.yml"
+    paths:
+      - ".github/workflows/sigma-test.yml"
+      - "deprecated/**.yml"
+      - "rules-compliance/**.yml"
+      - "rules-dfir/**.yml"
+      - "rules-emerging-threats/**.yml"
+      - "rules-placeholder/**.yml"
+      - "rules-threat-hunting/**.yml"
+      - "rules/**.yml"
+      - "tests/test_logsource.py"
+      - "tests/test_rules.py"
+      - "unsupported/**.yml"
 
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
-env:
-  EVTX_BASELINE_VERSION: v0.7
-
 jobs:
   yamllint:
     runs-on: ubuntu-latest
@@ -79,113 +82,5 @@ jobs:
         sigma check --fail-on-error --fail-on-issues --validation-config tests/sigma_cli_conf.yml rules*
     - name: Test Sigma Rules
       run: |
-        pip install PyYAML attackcti colorama
+        pip install PyYAML colorama
         python tests/test_rules.py
-
-  check-baseline-win7:
-    runs-on: ubuntu-latest
-    needs: test-sigma-logsource
-    steps:
-    - uses: actions/[email protected]
-    - name: Download evtx-sigma-checker
-      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
-    - name: Download and extract Windows 7 32-bit baseline
-      run: |
-        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win7-x86.tgz
-        tar xzf win7-x86.tgz
-    - name: Check for Sigma matches in baseline
-      run: |
-        chmod +x evtx-sigma-checker
-        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win7_x86/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
-    - name: Show findings excluding known FPs
-      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
-
-  check-baseline-win10:
-    runs-on: ubuntu-latest
-    needs: test-sigma-logsource
-    steps:
-    - uses: actions/[email protected]
-    - name: Download evtx-sigma-checker
-      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
-    - name: Download and extract Windows 10 baseline
-      run: |
-        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win10-client.tgz
-        tar xzf win10-client.tgz
-    - name: Check for Sigma matches in baseline
-      run: |
-        chmod +x evtx-sigma-checker
-        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Client/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
-    - name: Show findings excluding known FPs
-      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
-
-  check-baseline-win11:
-    runs-on: ubuntu-latest
-    needs: test-sigma-logsource
-    steps:
-    - uses: actions/[email protected]
-    - name: Download evtx-sigma-checker
-      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
-    - name: Download and extract Windows 11 baseline
-      run: |
-        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win11-client.tgz
-        tar xzf win11-client.tgz
-    - name: Check for Sigma matches in baseline
-      run: |
-        chmod +x evtx-sigma-checker
-        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Logs_Win11/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
-    - name: Show findings excluding known FPs
-      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
-
-  check-baseline-win2022:
-    runs-on: ubuntu-latest
-    needs: test-sigma-logsource
-    steps:
-    - uses: actions/[email protected]
-    - name: Download evtx-sigma-checker
-      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
-    - name: Download and extract Windows 2022 baseline
-      run: |
-        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-evtx.tgz
-        tar xzf win2022-evtx.tgz
-    - name: Check for Sigma matches in baseline
-      run: |
-        chmod +x evtx-sigma-checker
-        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-evtx/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
-    - name: Show findings excluding known FPs
-      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
-
-  check-baseline-win2022-domain-controller:
-    runs-on: ubuntu-latest
-    needs: test-sigma-logsource
-    steps:
-    - uses: actions/[email protected]
-    - name: Download evtx-sigma-checker
-      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
-    - name: Download and extract Windows 2022 baseline
-      run: |
-        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-ad.tgz
-        tar xzf win2022-ad.tgz
-    - name: Check for Sigma matches in baseline
-      run: |
-        chmod +x evtx-sigma-checker
-        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path Win2022-AD/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
-    - name: Show findings excluding known FPs
-      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv
-
-  check-baseline-win2022-0-20348-azure:
-    runs-on: ubuntu-latest
-    needs: test-sigma-logsource
-    steps:
-    - uses: actions/[email protected]
-    - name: Download evtx-sigma-checker
-      run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker
-    - name: Download and extract Windows 2022.0.20348 Azure baseline
-      run: |
-        wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-0-20348-azure.tgz
-        tar xzf win2022-0-20348-azure.tgz
-    - name: Check for Sigma matches in baseline
-      run: |
-        chmod +x evtx-sigma-checker
-        ./evtx-sigma-checker --log-source tests/thor.yml --evtx-path win2022-0-20348-azure/ --rule-path rules/windows/ --rule-path rules-emerging-threats/ --rule-path rules-threat-hunting/ > findings.json
-    - name: Show findings excluding known FPs
-      run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv